General

  • Target

    0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c.zip

  • Size

    562KB

  • Sample

    241202-fnq3va1ka1

  • MD5

    be8d17952bcdf0bac1696e7f9d4fc337

  • SHA1

    902f122bf960a82331505e82c143af91424db1fd

  • SHA256

    0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c

  • SHA512

    79aea791aa8a43ae88bbb27501f09f16b6f63165481b4faa7357a3f037b59a012ec0444954df41f39eadcc02a1d77d34d17eafaad46b55b023e52f61e0950e84

  • SSDEEP

    12288:7Mgw/UcFZJP2zC7ttD0ZgDn/rvPxemsMgw/UUZJP2z/jrEL0cAB3:7M2cF2zQpCgnc/M2U2znELHAB3

Malware Config

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 0A6172B017F62EAA

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 7189AED8B8AE6568

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: CC3B1F89FAA517E4

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: F5657AC3DC58DC8C

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 2891E1D4BAC70EBA

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 3472CB2D1AB89AAB

Extracted

Path

C:\ProgramData\biobio ransmoware.txt

Ransom Note
kasper Ransmoware ATTENTION! At the moment, your system is not protected. We can fix itand restore files. To get started, send a file to decrypt trial. You can trust us after opening the test file. 2.Do not use free programs to unlock. To restore the system write to both : [email protected] and [email protected] Telegram id:@biobiorans Your Decryption ID: 613788884CE0093F

Targets

    • Target

      0A6172B017F62EAA.exe

    • Size

      137KB

    • MD5

      b556893d6f0219bb98468f724aeb06cf

    • SHA1

      540d6c29aa4a05564da6bf253fc46fc8793277f1

    • SHA256

      a75d6bf3c8cf0fc45b368bd83200d141319c9c67033803a230bd3451a309edff

    • SHA512

      3a9c8477dfec35af9e682e197c76a1c1e341cdd4f4c276d1c18beac9ff5b53da394eac8428e66921369a607cd75c2fb7e430466758df508d6974e59f7f901ae9

    • SSDEEP

      3072:MLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hn2bIoKb:MstYrEMw6Bxk5zOFNtgJiCUb

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9111) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      2891E1D4BAC70EBA.exe

    • Size

      137KB

    • MD5

      c04dadf78f2813750900fa54863fb2b7

    • SHA1

      8575e9d6f980b53ea13c37053aa2d55691bfe3e0

    • SHA256

      207a249e3c4359548b9ff264cac31d09c95d626d0e4835c081d8afbb732bac4f

    • SHA512

      20baf3958a55df7fe0196d300809afd2c4d4408c4e08db21f5ed6a1b6d21fcb09eea081813cf2b5ba60d745f745db043d2d2d9132da3ea565306402247b43372

    • SSDEEP

      3072:GLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hv2bIoKb:GstYrEMw6Bxk5zOFNtgJKCUb

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9098) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      3472CB2D1AB89AAB.exe

    • Size

      137KB

    • MD5

      cdb5b9402d4db31b15abd8dd2eb1947d

    • SHA1

      912c9ac3addd53685b3409c46dcb73946a74ecd3

    • SHA256

      ba6a4d65b25c86faa7179d1aa3db48c2fc445e393d1b8c0035dbd81d27b93d54

    • SHA512

      50280c0dc4e6d2709d2f18ff77134e029d1a123a5fcb173fab5fc4cd164b64d5b168b6286f39f6d5be7b0dcd140550692963d4fd08577a79682a833d6a6f8619

    • SSDEEP

      3072:PLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hj2bIoKb:PstYrEMw6Bxk5zOFNtgJOCUb

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9083) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      613788884CE0093F.exe

    • Size

      137KB

    • MD5

      0b6d033622c9ff929e98c5ef7e2f8860

    • SHA1

      ece019cdcbfab97462461585c58a5cf62bc5deb6

    • SHA256

      ecd80e30e6bae14ca7c1198e430651aa297e01361a0508acef591adc0d50159b

    • SHA512

      a5308bab575e87825cef01ae01ed8da84e1d42e588509b7bda1e8f4ffadc5fcbb39b9c5d6a331d508d74c12ba077cb303706537cb15662076a1fde86106b73e6

    • SSDEEP

      3072:hLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8h32bIoKb:hstYrEMw6Bxk5zOFNtgJ6CUb

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9083) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      7189AED8B8AE6568.exe

    • Size

      137KB

    • MD5

      ff7559d2160f6732056ff5a19722e69a

    • SHA1

      aed67bf0c6e521fc552cbb4afe24a1c2eb286da7

    • SHA256

      c2fc050f33d51d5560da425d137ef1e318f16fe5d49ee894327e33c3e12755e3

    • SHA512

      020825f085dc4b08f2454be5425cd937a1f146843b76b445c6d5993d0581fedf93f84742e64b2abe986a8d5803a62a597962a04821488dea771c5354b6dfda10

    • SSDEEP

      3072:oLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hb2bIoKb:ostYrEMw6Bxk5zOFNtgJGCUb

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (11272) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      CC3B1F89FAA517E4.exe

    • Size

      137KB

    • MD5

      4aed4c0e78d355e497f2cc509ff078b5

    • SHA1

      31a2ccfd5a679d2badc5fb66f243d4887d9ca444

    • SHA256

      ed4e298040946a3be24dcde8303216644c2d2b78444bb1c9bfc7d17c748aeaa5

    • SHA512

      bb251af369bd2662caef94ee96147439a75307dbfc30e2b2a63fad75af597e7981c41daec8cedb4326fb0243abbce2b681153380ccec79a38095022b85d4a804

    • SSDEEP

      3072:CLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hv2bIoKb:CstYrEMw6Bxk5zOFNtgJSCUb

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9123) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      F5657AC3DC58DC8C.exe

    • Size

      177KB

    • MD5

      7bec4faccd4b6485d70a5bb46453ed65

    • SHA1

      e001ad39f7269e5fca76154477e7708b8d729a4b

    • SHA256

      787798eea28e8ea672f3cbfe9ec2ca4460098b491031eab0f8c30b7080f5eb00

    • SHA512

      3deaabc3519eeb1eba3953c2054451f2fa6cfe3f297c643cb29b9017a43d5a43d8dafea5107b0dfe412917932ce40857c0f942e791f76ab8afa5bf4c310b8e37

    • SSDEEP

      3072:sr85CDzbFk58x+o+EFz9/t2f65q8hPBJ2bIoKbwLIQ8YzXEMZK1A2W:k9vxk5zOFNtgJmBJCUbwstYrEMw63

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Neshta family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9067) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks

static1

neshta
Score
10/10

behavioral1

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral2

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral3

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral4

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral5

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral6

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral7

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral8

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral9

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral10

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral11

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral12

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
10/10

behavioral13

neshtadefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral14

neshtadiscoverypersistenceransomwarespywarestealer
Score
10/10